Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AlexFeren
New Contributor III

Registering unregistered devices

Hi FortiManager admins,

reading FortiManager administration guide, I understand that Fortimanager's built-in FDS replies to FortiGuard update and query connections from devices registered within its Device Manager, however, it may be allow certain requests from unregistered devices. What's unclear to me is - would the previously unregistered devices requesting above updates and queries become registered or remain unregistered, If the former, what's the functional difference between having "allow_register" enabled and "unreg_dev_opt" set to "add_allow_service"?

R's, Alex

 

4 REPLIES 4
scao_FTNT
Staff
Staff

they are still in unregistered device list and you need to manually add them into device manage

 

for FMG providing FGD service to FGTs, FMG works for added/registered FGT, and also can work for unregistered device

 

there are different ways for device be listed in unregistered device list like log triggered and  central management config triggered, you can also just config override server on FGT side to send FGD request to FMG, and this FGT can also be listed in FMG unregistered device list (you can see in CLI "diag device list", but GUI will hide this type of unreg device), and FMG also can provide service for this unreg device

 

the CLI you mentioned "set unreg_dev_opt  add_allow_service" which means FMG will add FGT in unreg list and provide service to these unreg device, the other option is FMG will add FGT in unreg list, but do NOT provide service until you add this FGT into device manager

 

for the other CLI you mentioned "allow_register" is a different FMG feature and you can set allow auto register FGT into device manager and also set a password (set register_passwd), and on FGT you can use CLI "exec central-mgmt register-device to auto add this device into FMG device manager (from unregistered device list)

 

Thanks

 

Simon

 

 

AlexFeren
New Contributor III

Simon

thanks for response.

scao_FTNT wrote:
different ways for device be listed in unregistered device list like log triggered
Can you elaborate on log triggered?

 

central management config triggered

Is this Fortigate's "exec central-mgmt register-device"?

 

just config override server on FGT side to send FGD request to FMG

Is this Fortigate's "system central-management" "server-list"?

 

R's, Alex

hklb

scao_FTNT wrote:

they are still in unregistered device list and you need to manually add them into device manage

 

for FMG providing FGD service to FGTs, FMG works for added/registered FGT, and also can work for unregistered device

 

there are different ways for device be listed in unregistered device list like log triggered and  central management config triggered, you can also just config override server on FGT side to send FGD request to FMG, and this FGT can also be listed in FMG unregistered device list (you can see in CLI "diag device list", but GUI will hide this type of unreg device), and FMG also can provide service for this unreg device

 

the CLI you mentioned "set unreg_dev_opt  add_allow_service" which means FMG will add FGT in unreg list and provide service to these unreg device, the other option is FMG will add FGT in unreg list, but do NOT provide service until you add this FGT into device manager

 

for the other CLI you mentioned "allow_register" is a different FMG feature and you can set allow auto register FGT into device manager and also set a password (set register_passwd), and on FGT you can use CLI "exec central-mgmt register-device to auto add this device into FMG device manager (from unregistered device list)

 

Thanks

 

Simon

 

 

Hi Simon,

 

Do you know the purpose of the value "svc-only" for the option "unreg-dev-option" ? What the FMG will do exactly?

 

(fds-setting)# set unreg-dev-option ?
add-service Add unregistered devices and allow update request.
ignore Ignore all unregistered devices.
svc-only Allow update requests without adding the device.

 

I didn't find any information in documentation.

 

Regards

 

Lucas

scao_FTNT
Staff
Staff

Hi, Alex, I am using FOS 5.2.3 as example

 

for 1, you can config FGT to send log FMG (but FMG need to enable FAZ features from System settings - dashboard - system information widget - bottom line "FortiAnalyzer Features")

 

config log fortianalyzer setting     set status enable     set server xx.xx.xx.xx     set upload-option realtime end

after FMG receive log from a FGT, FMG will list this device in FMG unregistered device list as "Logging Only" mode device

 

for 2,  you can find this on FGT GUI - admin - settings - "Central Management", you choose FMG and then click "Send Request", then FGT will be listed on FMG unregistered device as "Configuration & Logging" device

 

for 3, yes, this is FOS 5.2.3 CLI as below

 

config system central-management         config server-list             edit 1                 set server-type update rating                 set server-address 10.3.112.92             next         end end

Thanks

 

Simon

Labels
Top Kudoed Authors